SevOne NMS Port Number Requirements Guide

About

SevOne peers communicate with each other to maintain a consistent environment. Each peer needs the following ports open between each other.

Important: Encryption

Most ports use TLS as the encryption technology which can be negotiated based on the client and server configuration. Same is true for SSH. For some ports, the exact encryption method cannot be guaranteed. For example, SSL port 443 is based on the client's browser.

Important: Starting SevOne NMS 6.7.0, MySQL has moved to MariaDB 10.6.12.
Note: Terminology usage...

In this guide if there is,

  • [any reference to master] OR
  • [[if a CLI command contains master] AND/OR
  • [its output contains master]],

    it means leader.

And, if there is any reference to slave, it means follower.

Peer Port Assignments

Minimum Ports Required for NMS Cluster Operation

The minimum port requirement is a list of ports required by PAS and/or Between Peers.

Note: The port configured for communication with the WMI proxy must be opened in the firewall.
IP (UDP/TCP)/ICMP Encrypted Encryption Type Direction Purpose
ICMP (*) N n/a

-> PAS

-> DNC

-> HSA

<-> Between Peers

Interpeer Monitoring

ICMP from and to devices and Interpeer Monitoring

TCP 22 (*) Y SSH-based encryption - can be configured by an admin user.

-> PAS

-> DNC

-> HSA

<-> Between Peers

-> iDRAC

-> Data Insight

SSH Access - remote login

Required for SevOne Data Insight to update or Install Data Insight Reporting API (DIRA)

TCP 80 N n/a

-> PAS

-> DNC

-> HSA

<-> Between Peers

-> Data Insight

HTTP, SOAP API, and AJAX Calls - End User Terminal

UI port for Data Insight - Can be configured using environment variables. Data Insight uses port 80 to redirect any HTTP (80) requests to HTTPS (443)

TCP 389 N n/a PAS -> LDAP (Clear text) Server port (not used for secure configurations)
TCP 443 (*) Y TLS-based encryption - can be configured by an admin user. -> PAS-> DNC-> HSA<-> Between Peers For Livemaps in REST API, the Cluster Leader and Peer use HTTPS on port 443. If the connection is unavailable, it falls back and uses HTTP on port 80.

TCP 443

(for AWS or Azure)

Y TLS-based encryption.

-> AWS

-> Azure

For monitoring AWS or Azure services.

Important: For AWS,

Calls are also made to endpoint https://sts.us-east-1.amazonaws.com/ to help with assuming IAM roles.

TCP 636 Y TLS-based encryption. PAS -> LDAP (SSL) Server port
TCP 873 N n/a <-> Between Peers RSYNC - Interpeer
TCP 3306 (*) Y TLS-based encryption. <-> Between Peers MySQL - Interpeer
TCP 3307 (*) Y TLS-based encryption. <-> Between Peers MySQL2 - Interpeer
TCP 5051 N n/a -> Export Destination Raw Data Export - SevOne Raw Data Feed (optional for customer streaming data)
TCP 8082 N n/a -> PAS SevOne Data Publisher status page (optional / configured) on by default
TCP 8123 n/a n/a <-> Between Peers Squid (5.7.2), Polipo (5.7.1), Interpeer Proxy VMware vCenter
TCP 8443 Y TLS-based encryption - can be configured by an admin user. -> PAS Secure port for SevOne Data Publisher status page (optional / configured) off by default
TCP 9092 (*) Y TLS-based encryption. <-> Between Peers Apache Kafka
TCP, UDP 9094 N n/a -> Cluster Leader & HSA <-> Peers

Prometheus Clustering:

For Alertmanager high availability clustering

Important: Peers connect to the Cluster Leader's port 9094 to report alerts and outages as part of Prometheus. This port must be open to other peers in the cluster.
TCP 9443 Y TLS-based encryption Web Browser <-> Cluster Leader

Port is required for Self Service Upgrades.

Important: For Self Service Upgrades, the Graphical User Interface installer binds the Cluster Leader to TCP 9443 and runs a service (that the user connects to) through the browser using HTTPS. If the Graphical User Interface installer is required, this port must be exposed.
TCP 60006 (*) Y   <-> Between Peers sshd server
TCP 60007 (*) Y ZMQ Curve-based encryption. <-> Between Peers SevOne-requestd Reserved - Interpeer
UDP 123 N n/a

-> PAS

-> DNC

-> HSA

<-> Between Peers

NTP Interpeer Time Sync

NTP - Interpeer and to NTP time source

UDP 161 N n/a

PAS ->

DNC ->

HSA ->

<-> Between Peers

SNMP Interpeer Monitoring

SNMP - to Devices and Interpeer

UDP 162 N n/a

-> PAS

-> HSA

<-> Between Peers

SNMP Trap Interpeer Monitoring and from Devices (optional)
UDP, TCP 514 (**) N n/a

PAS ->

<-> Between Peers

Syslog
UDP 6831 N n/a -> PAS (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port UDP 6831 is a compact-thrift protocol.
UDP 6832 N n/a -> PAS (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port UDP 6832 is a binary-thrift protocol.
HTTP 16686 (***) N n/a -> PAS (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port HTTP 16636 is to serve the frontend.

(*) denotes that these ports are a must and absolutely required.

(**) denotes that Syslog is configurable.

(***) denotes that it is recommended to open the port when using Graphical User Interface from the web browser.

Additional Ports for Hot Standby Appliance (HSA) Deployment

The list below is for additional ports required for Hot Standby Appliance.

IP (UDP/TCP)/ICMP Encrypted Encryption Type Direction Purpose
ICMP (*) N n/a

-> PAS

-> DNC

-> HSA

<-> Between Peers

Interpeer Monitoring

ICMP from and to devices and Interpeer Monitoring

TCP 22 (*) Y SSH-based encryption - can be configured by an admin user.

-> PAS

-> DNC

-> HSA

<-> Between Peers

-> iDRAC

SSH Access - remote login
TCP 25 N n/a

PAS ->

HSA ->

SMTP - to Mail server
TCP 80 N n/a

-> PAS

-> DNC

-> HSA

<-> Between Peers

-> Data Insight

HTTP, SOAP API, and AJAX Calls - End User Terminal

UI port for Data Insight - Can be configured using environment variables. Data Insight uses port 80 to redirect any HTTP (80) requests to HTTPS (443)

TCP 443 (*) Y TLS-based encryption - can be configured by an admin user.

-> PAS

-> DNC

-> HSA

<-> Between Peers

-> iDRAC

-> Data Insight

HTTPS - End User Terminal

UI port for Data Insight - Can be configured using environment variables. Data Insight uses port 80 to redirect any HTTP (80) requests to HTTPS (443)

UDP 123 N n/a

-> PAS

-> DNC

-> HSA

<-> Between Peers

NTP Interpeer Time Sync

NTP - Interpeer and to NTP time source

UDP 161 N n/a

PAS ->

DNC ->

HSA ->

<-> Between Peers

SNMP Interpeer Monitoring

SNMP - to Devices and Interpeer

UDP 162 N n/a

-> PAS

-> HSA

<-> Between Peers

SNMP Trap Interpeer Monitoring and from Devices (optional)
UDP, TCP 53 N n/a

-> PAS

-> DNC

-> HSA

DNS

(*) denotes that these ports are a must and absolutely required.

Required Ports for NMS Data Collection

IP (UDP/TCP)/ICMP Encrypted Encryption Type Direction Purpose
UDP 161 N n/a

PAS ->

DNC ->

HSA ->

<-> Between Peers

SNMP Interpeer Monitoring

SNMP - to Devices and Interpeer

UDP 162 N n/a

-> PAS

-> HSA

<-> Between Peers

SNMP Trap Interpeer Monitoring and from Devices (optional)

Required Ports for Remote Management

IP (UDP/TCP)/ICMP Encrypted Encryption Type Direction Purpose
TCP 22 (*) Y SSH-based encryption - can be configured by an admin user.

-> PAS

-> DNC

-> HSA

<-> Between Peers

-> iDRAC

SSH Access - remote login
TCP 443 (*) Y TLS-based encryption - can be configured by an admin user.

-> PAS

-> DNC

-> HSA

<-> Between Peers

-> iDRAC

-> Data Insight

HTTPS - End User Terminal

UI port for Data Insight - Can be configured using environment variables. Data Insight uses port 80 to redirect any HTTP (80) requests to HTTPS (443)

prometheus - for main data collection service (only runs on the Cluster Leader and its HSA) - uses port 80 (for HTTP protocol) and 443 (for HTTPS protocol).

alertmanager - for main alerting service (only runs on the Cluster Leader and its HSA) - uses port 80 (for HTTP protocol) and 443 (for HTTPS protocol).

UDP, TCP 5900 Y 128-bit SSL encryption. For additional details, please refer to https://www.dell.com/support/article/en-us/sln306877/dell-poweredge-how-to-configure-the-idrac9-and-the-lifecycle-controller-network-ip?lang=en#ports -> iDRAC iDRAC Virtual console Keyboard and Mouse connection
UDP, TCP 5901 Y 128-bit SSL encryption. For additional details, please refer to https://www.dell.com/support/article/en-us/sln306877/dell-poweredge-how-to-configure-the-idrac9-and-the-lifecycle-controller-network-ip?lang=en#ports -> iDRAC iDRAC Virtual console Video connection

(*) denotes that these ports are a must and absolutely required.

Other Product Integration

SevOne Data Insight (SDI) Deployment

IP (UDP/TCP)/ICMP Encrypted Encryption Type Direction Purpose
TCP 22 (*) Y SSH-based encryption - can be configured by an admin user. -> PAS-> Data Insight Required for SevOne Data Insight to update or Install Data Insight Reporting API (DIRA)
TCP 80 N n/a

-> PAS

-> DNC

-> HSA

<-> Between Peers

-> Data Insight

HTTP, SOAP API, and AJAX Calls - End User Terminal

UI port for Data Insight - Can be configured using environment variables. Data Insight uses port 80 to redirect any HTTP (80) requests to HTTPS (443)

TCP 443 (*) Y TLS-based encryption - can be configured by an admin user.

-> PAS

-> DNC

-> HSA

<-> Between Peers

-> iDRAC

-> Data Insight

HTTPS - End User Terminal

UI port for Data Insight - Can be configured using environment variables. Data Insight uses port 80 to redirect any HTTP (80) requests to HTTPS (443)

TCP 2379 - 2380 (*) N n/a -> Data Insight

Required only for HA with embedded etcd

Source: K3s server nodes

TCP 3000 (**) N n/a Web Browser<-> Data Insight Required for the Graphical User Interface Installer
TCP 3001 (**) N n/a Web Browser<-> Data Insight Required for the Graphical User Interface Installer's backend (API)
TCP / UDP 5052 Y TLS-based encryption - can be configured by an admin user. -> NMS-> Data Insight
Important: Only applies for SevOne Data Insight versions <= 1.6.0

DSPlugin (Data Insight access for its NMS data source peer)

TCP 6443 (*) N n/a -> Data Insight

Kuberbetes API Server

Source: K3s agent nodes

TCP 10250 (*) N n/a -> Data Insight

Kubelet metrics

Source: K3s server and agent nodes

UDP 6831 N n/a -> PAS (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port UDP 6831 is a compact-thrift protocol.
UDP 6832 N n/a -> PAS (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port UDP 6832 is a binary-thrift protocol.
UDP 8472 N n/a -> Data Insight

Required only for Flannel VXLAN

Source: K3s server and agent nodes

Note: The nodes need to be able to reach other nodes over UDP port 8472 when Flannel VXLAN is used. The node should not listen on any other port. K3s uses reverse tunneling such that the nodes make outbound connections to the server and all kubelet traffic runs through that tunnel. However, if you do not use Flannel and provide your own custom CNI, then port 8472 is not needed by K3s.
Important: The VXLAN port on nodes should not be exposed to the world as it opens up your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that disables access to port 8472.
HTTP 16686 (**) N n/a -> PAS (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port HTTP 16636 is to serve the frontend.

(*) denotes that these ports are a must and absolutely required.

(**) denotes that it is recommended to open the port when using Graphical User Interface from the web browser.

SevOne Data Publisher (SDP) Deployment

IP (UDP/TCP)/ICMP Encrypted Encryption Type Direction Purpose
TCP 8082 N n/a -> PAS SevOne Data Publisher status page (optional / configured) on by default
TCP 8443 Y TLS-based encryption - can be configured by an admin user. -> PAS Secure port for SevOne Data Publisher status page (optional / configured) off by default
TCP 9092 (*) Y TLS-based encryption. <-> Between Peers Apache Kafka
TCP 9443 (**) Y TLS-based encryption. Web Browser <-> Cluster Leader

Port is required for Self Service Upgrades.

Important: For Self Service Upgrades, the Graphical User Interface installer binds the Cluster Leader to TCP 9443 and runs a service (that the user connects to) through the browser using HTTPS. If the Graphical User Interface installer is required, this port must be exposed.

(*) denotes that these ports are a must and absolutely required.

(**) denotes that it is recommended to open the port when using Graphical User Interface from the web browser.

Solutions Deployment

The following table provides port number requirements for Cisco SDN, Enterprise WiFi Monitoring, and SD-WAN (Fortinet, Velocloud, Versa and Viptela collectors).

Solution IP (UDP/TCP)/ICMP Direction Purpose
SDN TCP 80 (HTTP) -> PAS The API config / communication port
TCP 443 (HTTPS) -> PAS

The API config / communication port

Required for,

  • Collection of ACI fabric performance and status data
  • Collection of site information from a multi-site controller
  • Transfer of collected ACI fabric data to SevOne NMS PAS for processing and storage
UDP 6831 -> PAS (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port UDP 6831 is a compact-thrift protocol
UDP 6832 -> PAS (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port UDP 6832 is a binary-thrift protocol
HTTP 16686 (*) -> PAS (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port HTTP 16636 is to serve the frontend
WiFi TCP 80 -> PAS PAS REST API config / collection port
TCP 443 -> PAS The API config / communication port
TCP 3306 -> PAS MySQL port
UDP 6831 -> PAS (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port UDP 6831 is a compact-thrift protocol
UDP 6832 -> PAS (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port UDP 6832 is a binary-thrift protocol
HTTP 16686 (*) -> PAS (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port HTTP 16636 is to serve the frontend
SD-WAN Fortinet TCP 80 (HTTP) -> PAS-> FortiManager The API config / communication port
TCP 443 (HTTPS) -> PAS-> FortiManager

The API config / communication port

Required for,

  • Collection of device-level / object-level metadata
  • Onboarding the devices from FortiManager
  • Transfer of collected device-level and object-level metadata and new devices to SevOne NMS PAS for processing and storage
Velocloud TCP 80 (HTTP)

-> PAS

-> Velocloud / VMware orchestrator

The API config / communication port
TCP 443 (HTTPS) -> PAS-> Velocloud / VMware orchestrator

The API config / communication port

Required for,

  • Collection of device-level metadata
  • Onboarding the devices from Velocloud / VMware orchestrator
  • Transfer of collected device-level metadata and new devices to SevOne NMS PAS for processing and storage
Versa TCP 443 (Outbound) -> PAS Address: NMS server; for NMS API port
TCP 3000 (*) Web Browser<-> Collector Leader Node

Required for the Graphical User Interface Installer

For Client, config file location is /etc/sevone-guii/client.yaml

TCP 3001 (*) Web Browser<-> Collector Leader Node

Required for the Graphical User Interface Installer's backend (API)

For API, config file location is /etc/sevone-guii/api.yaml

TCP 6443 Worker -> Master node K3s supervisor & Kubernetes API Server.
The K3s server needs port 6443 to be accessible by all nodes
UDP 6831 -> PAS (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port UDP 6831 is a compact-thrift protocol
UDP 6832 -> PAS (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port UDP 6832 is a binary-thrift protocol
UDP 8472 <-> Between nodes Flannel VXLAN backend
The nodes need to be able to reach other nodes over UDP port 8472 when using the Flannel VXLAN backend. However, if you do not use Flannel and provide your own custom CNI, then the ports needed by Flannel are not needed by K3s
TCP 9182 -> vDirector API port number of targeted vDirector
TCP 9992 (Inbound) -> Collector Nodes Flow syslogs from Versa devices
TCP 9996(Outbound) Collector Nodes -> DNC Address: NMS DNC server; for Flow Augmentor output; required for DNC where the flows are being sent
TCP 10250 <-> Between nodes Kubelet metrics - all nodes must be accessible to each other on port 10250
HTTP 16686 (*) -> PAS (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port HTTP 16636 is to serve the frontend
TCP 50001 (Inbound) -> Collector Nodes Versa Syslogs from Versa Analytics server (The port on which the collector listens for non-flow syslog data sent by Versa Analytics); required for the log exporter to send UDP data to collector and Syslog data in kvp format
Viptela TCP 443 (Outbound) Collector Nodes -> PAS-> vManage Address: vManage server; for Viptela vManage APIAddress: NMS server; for NMS API port
TCP 3000 (*)

Web Browser

<-> Collector Leader Node

Required for the Graphical User Interface Installer

For Client, config file location is /etc/sevone-guii/client.yaml

TCP 3001 (*) Web Browser<-> Collector Leader Node

Required for the Graphical User Interface Installer's backend (API)

For API, config file location is /etc/sevone-guii/api.yaml

TCP 6443 Worker -> Master node K3s supervisor and Kubernetes API Server.
The K3s server needs port 6443 to be accessible by all nodes
UDP 6831 -> PAS (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port UDP 6831 is a compact-thrift protocol
UDP 6832 -> PAS (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port UDP 6832 is a binary-thrift protocol
TCP 8443 (Outbound) -> vManage Address: vManage server; for Viptela vManage API
UDP 8472 <-> Between nodes Flannel VXLAN backend
The nodes need to be able to reach other nodes over UDP port 8472 when using the Flannel VXLAN backend. However, if you do not use Flannel and provide your own custom CNI, then the ports needed by Flannel are not needed by K3s
TCP 9995 (Inbound) -> Collector Nodes Flow Augmentor input (The port on which Flow Augmentor listens for inbound flows. The port number can range from 9000 - 33000)
TCP 9996 (Outbound) Collector Nodes -> DNC Address: NMS DNC server; for Flow Augmentor output; required for DNC where the flows are being sent
TCP 10250 <-> Between nodes Kubelet metrics - all nodes must be accessible to each other on port 10250
HTTP 16686 (*) -> PAS (Optional) This port is for Tracing. This feature is for Internal Use Only for the Support Team to use for troubleshooting. Port HTTP 16636 is to serve the frontend

(*) denotes that it is recommended to open the port when using Graphical User Interface from the web browser.

SevOne Distributed Netflow Connector (DNC) Deployment

IP (UDP/TCP)/ICMP Encrypted Encryption Type Direction Purpose
ICMP (*) N n/a

-> PAS

-> DNC

-> HSA

<-> Between Peers

Interpeer Monitoring

ICMP from and to devices and Interpeer Monitoring

TCP 22 (*) Y SSH-based encryption - can be configured by an admin user.

-> PAS

-> DNC

-> HSA

<-> Between Peers

-> iDRAC

SSH Access - remote login
TCP 80 N n/a

-> PAS

-> DNC

-> HSA

<-> Between Peers

-> Data Insight

HTTP, SOAP API, and AJAX Calls - End User Terminal

UI port for Data Insight - Can be configured using environment variables. Data Insight uses port 80 to redirect any HTTP (80) requests to HTTPS (443)

TCP 443 (*) Y TLS-based encryption - can be configured by an admin user.

-> PAS

-> DNC

-> HSA

<-> Between Peers

-> iDRAC

-> Data Insight

HTTPS - End User Terminal

UI port for Data Insight - Can be configured using environment variables. Data Insight uses port 80 to redirect any HTTP (80) requests to HTTPS (443)

UDP 123 N n/a

-> PAS

-> DNC

-> HSA

<-> Between Peers

NTP Interpeer Time Sync

NTP - Interpeer and to NTP time source

UDP 161 N n/a

PAS ->

DNC ->

HSA ->

<-> Between Peers

SNMP Interpeer Monitoring

SNMP - to Devices and Interpeer

UDP 6343 N n/a -> DNC sFlow data to DNC (configurable / optional)
UDP 9996 N n/a -> DNC Netflow data (sampled / non-sampled) to DNC (configurable)
UDP, TCP 53 N n/a

-> PAS

-> DNC

-> HSA

DNS

(*) denotes that these ports are a must and absolutely required.